WDigest
Last updated
Last updated
WDigest (Digest Authentication) is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and web-based authentication. It utilizes Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges to authenticate.
It should be noted that up to Windows 8 and Windows Server 2012 storing credentials in WDigest was a default setting. This is no longer the case with Windows 10 and Windows Server 2016+. Additionally, it should be noted that WDigest credentials are cached in memory in cleartext.
It is easy to verify whether or not caching is enabled by querying the following registry key:
If identified, WDigest credentials can be retrieved with a tool such as Mimikatz:
It should be noted that even though storing credentials in WDigest is no longer a default setting, it is still something that can be manually configured by an attacker after obtaining access to a system by modifying the following registry value:
We would then be able to dump any users credentials who authenticate to the system with a tool like Mimikatz.